Hacker News new | past | comments | ask | show | jobs | submit login

Is there any advice you're able to give on how to distinguish situations where you need secure RNG from those that don't matter?

For instance, you definitely need it in poker hand generation - would you need it for random loot generation in an MMO?

Also by "secure" you mean /dev/random, and /dev/urandom is used as if it was rand()?




Using a secure RNG is always a good idea, unless you know you need lots of (predictable given the seed) random numbers for example in Monte Carlo sampling.

Even in randomized algorithms you may have to be careful what RNG you use, because of DDOS risk. For example see the problems with Python and Ruby hash tables that could be exploited to have worst-case behavior because their behavior was entirely predictable.

In a MMO you most certainly want to use a secure RNG, as cheating is rife in them. If a player can get an advantage by predicting the RNG, someone will.


You should pretty much just default to secure random.

/dev/urandom is fine; in Ruby apps, I'd use OpenSSL::Random.random_bytes or ActiveSupport::SecureRandom.random_number.


If OpenSSL::Random isn't working (because OpenSSL is not installed for example) there is also SecureRandom in the stdlib. It tries to do the right thing in any situation: Use OpenSSL:Random if available, otherwise it will fall back to what's available in the OS you're on.


What cases do you reserve /dev/random for? SSH keygen?

Do those functions just read from /dev/urandom?


I don't. Just use urandom.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: